"In Re: Facebook Privacy Litigation"

Filing 36

CONSOLIDATED CLASS ACTION COMPLAINT against Facebook, Inc.. Filed by David Gould, Mike Robertson. (Nassiri, Kassra) (Filed on 10/11/2010) Modified on 10/13/2010 (cv, COURT STAFF).

Download PDF
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 KASSRA P. NASSIRI (215405) (knassiri@nassiri-jung.com) CHARLES H. JUNG (217909) (cjung@nassiri-jung.com) NASSIRI & JUNG LLP 47 Kearny Street, Suite 700 San Francisco, California 94108 Telephone: (415) 762-3100 Facsimile: (415) 534-3200 EDELSON MCGUIRE LLP SEAN REIS (184044) (sreis@edelson.com) 30021 Tomas Street, Suite 300 Rancho Santa Margarita, CA 92688 Telephone: (949) 450-2124 Facsimile: (949) 459-2123 MICHAEL J. ASCHENBRENER (maschenbrener@edelson.com)(pro hac vice) BENJAMIN H. RICHMAN (brichman@edelson.com)(pro hac vice) 350 North LaSalle Street, Suite 1300 Chicago, Illinois 60654 Telephone: (312) 589-6370 Facsimile: (312) 589-6378 Attorneys for Plaintiffs and the Putative Class UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN JOSE DIVISION Case No. 10-cv-02389-JW CLASS ACTION CONSOLIDATED CLASS ACTION COMPLAINT IN RE: FACEBOOK PRIVACY LITIGATION ACTION FILED: 05/28/10 JURY TRIAL DEMANDED Plaintiffs David Gould and Mike Robertson ("Plaintiffs") bring this suit on behalf of themselves and all others similarly situated, and make the following allegations on information and belief, except as to allegations pertaining to Plaintiffs, which are based on their personal knowledge: I. 1. INTRODUCTION Plaintiffs bring this class action complaint against Facebook, Inc. ("Facebook") for sharing its users' sensitive personally identifiable information ("PII"), including users' real names, -1CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 with Facebook's advertising partners, in violation of Facebook's own privacy policy, Facebook's specific and prominent promises to users, accepted industry standards, and federal law. 2. Facebook's own policies state that "We never share your personal information with our advertisers" and "[w]e do not give your content of information to advertisers without your consent." Facebook touts these statements in multiple areas of its site including its privacy policy and multiple "blog" statements. 3. Unbeknownst to Facebook users, and in violation of Facebook's own stated policies and privacy laws, Facebook intentionally and knowingly transmitted PII, including users' real names, to third party advertisers without user consent. II. 4. PARTIES Plaintiff David Gould is a resident of South Lake Tahoe, California. He is a registered user of Facebook's services and has been since at least 2008. During the relevant time period, Plaintiff Gould clicked on at least one third-party advertisement displayed on Facebook.com. 5. Plaintiff Mike Robertson is a resident of Marin County, California. He is a registered user of Facebook's services and has been since at least 2008. During the relevant time period, Plaintiff Robertson clicked on at least one third-party advertisement displayed on Facebook.com. 6. Defendant Facebook, Inc. (hereinafter, "Facebook") is a Delaware corporation that maintains its headquarters in Santa Clara County, California. Facebook conducts business throughout California and the nation. III. 7. JURISDICTION AND VENUE This Court has personal jurisdiction over Facebook because (a) a substantial portion of the wrongdoing alleged in this complaint took place in this state, (b) Facebook is authorized to do business here, has sufficient minimum contacts with this state, and/or otherwise intentionally avails itself of the markets in this state through the promotion, marketing and sale of products and services in this state, to render the exercise of jurisdiction by this Court permissible under traditional notions of fair play and substantial justice. 8. This Court has subject matter jurisdiction pursuant to the Class Action Fairness Act of 2005, 28 U.S.C. 1332(a) and 1332(d) because the amount in controversy exceeds -2CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 $5,000,000.00 exclusive of interest and costs, and more than two-thirds of the users of the putative class are citizens of states different than that of Facebook. Additionally, the Court has subject matter jurisdiction pursuant to 28 U.S.C. 1331. 9. Venue is proper in this District under 28 U.S.C. 1391(b) and (c). A substantial portion of the events and conduct giving rise to the violations of law complained of herein occurred in this District. Facebook's principal executive offices and headquarters are located in Santa Clara County, California. IV. 10. INTRADISTRICT ASSIGNMENT Intradistrict assignment to the San Jose Division is proper because the principal offices of defendant Facebook are located in Santa Clara County. V. A. 11. About Facebook Facebook is the world's largest social networking website, with over 500 million STATEMENT OF FACTS registered users worldwide. 12. According to Facebook, its "mission is to give people the power to share and make the world more open and connected." (www.facebook.com/facebook?v=info%ref=pf) To accomplish that mission, Facebook allows anyone with access to a computer and Internet connection to register for its services free of charge. 13. One of the few requirements Facebook places on its registrants is that they provide their actual names, rather than merely create a "screen name" or "user name," as is commonplace with other website registrations. 14. Once registered, a Facebook user may post a multitude of information to their own personal "Facebook profile" page, including their birth date, place of birth, current and past addresses, present and past employment, relationship status, personal pictures, videos, and more. Facebook presents users with pre-made forms in which users may enter this type of personal information. 15. Each Facebook user has a user ID number which uniquely identifies that user. Many users also have usernames which uniquely identify them. If a person knows a Facebook user's user -3CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ID or username, that person can see the user's Facebook page and see the user's real name, gender, picture, friends, networks, wall posts, photos, and more. 16. In many ways, Facebook is accomplishing its stated mission. Facebook users share an unprecedented amount of personal information through the service. While users may share this information in order to connect with other Facebook users, they are also sharing this information with Facebook itself. And all this personal information is valuable to Facebook because it is valuable to advertisers. B. 17. Advertising on Facebook Because users share so much information through Facebook, Facebook is able to use that information to help its advertisers target their ads to finely-tailored audiences. 18. This targeting may help explain Facebook's success in generating advertisement impressions. According to comScore's Ad Metrix services, Facebook now serves more ad impressions than any other online entity. comScore reports that in the first quarter of 2010, Facebook served up approximately 16.2% of all display ad impressions on the Internet.1 19. In fact, the information Facebook possesses allows its advertisers to target their ads based on age, city of residence, gender, and interests, such as mountain biking, for example. This allows a local mountain bike store to only pay for ads that Facebook serves to 20 to 30-year old men in Moab, Utah who have expressly shared with Facebook an interest in mountain biking. 20. The only thing better for the advertiser would be to know the true identity of that 20- something male mountain biker. But Facebook's own Privacy Policy prohibits this. Facebook specifically states: How We Use Your Information To serve personalized advertising to you. We don't share your information with advertisers without your consent. (An example of consent would be if you asked us to provide your shipping address to an advertiser to receive a free sample.) We allow advertisers to choose the characteristics of users who will see their advertisements and we may use any of the non-personally identifiable attributes we have collected (including information you may have 1 http://www.comscore.com/Press_Events/Press_Releases/2010/5/Americans_Received_1_Trillion_ Display_Ads_in_Q1_2010_as_Online_Advertising_Market_Rebounds_from_2009_Recession. -4CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 decided not to show to other users, such as your birth year or other sensitive personal information or preferences) to select the appropriate audience for those advertisements. For example, we might use your interest in soccer to show you ads for soccer equipment, but we do not tell the soccer equipment company who you are... Facebook's Privacy Policy, http://www.facebook.com/policy.php (last visited May 31, 2010) (emphasis in original). 21. Facebook makes similar representations in its Privacy Guide: We never share your personal information with our advertisers. Facebook's ad targeting is done entirely anonymously. If advertisers select demographic targeting for their ads, Facebook automatically matches those ads to the appropriate audience. Advertisers only receive anonymous data reports. Controlling How You Share, http://www.facebook.com/privacy/explanation.php (last visited May 31, 2010)(emphasis in original). 22. Facebook makes similar representations in its Statement of Rights and Responsibilities: About Advertisements on Facebook Our goal is to deliver ads that are not only valuable to advertisers, but also valuable to you. In order to do that, you agree to the following: 1. You can use your privacy settings to limit how your name and profile picture may be associated with commercial or sponsored content served by us. You give us permission to use your name and profile picture in connection with that content, subject to the limits you place. 2. We do not give your content or information to advertisers without your consent. Statement of Rights and Responsibilities, http://www.facebook.com/terms.php (last visited on May 31, 2010). 23. Facebook management made similar statements on the Facebook Blog. Facebook's Director of Corporate Communications and Public Policy posted the following on April 5, 2010: Still others asked to be opted-out of having their information shared with advertisers. This reflects a common misconception about advertising on Facebook. We don't share your information with advertisers unless you tell us to (e.g. to get a sample, hear more, or enter a contest). Any assertion to the contrary is false. Period. Instead, we enable advertisers to target anonymized demographics and attributes. That is, a company selling boats can target people between 40 and 50 years old who expressed an interest in boating. -5CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 However, we never provide the advertiser any names or other information about the people who are shown, or even who click on, the ads. The Facebook Blog, http://blog.facebook.com/blog.php?post=379388037130 (last visited May 31, 2010). 24. In response to widespread concern about the privacy of user information, on February 16, 2009, Facebook's CEO, Mark Zuckerberg, reiterated that personal information would not be shared without user consent: Our philosophy is that people own their information and control who they share it with. When a person shares information on Facebook, they first need to grant Facebook a license to use that information so that we can show it to the other people they've asked us to share it with. Without this license, we couldn't help people share that information ... In reality, we wouldn't share your information in a way that you wouldn't want. The trust you place in us as a safe place to share information is the most important part of what makes Facebook work. The Facebook Blog, http://blog.facebook.com/blog.php?post=54434097130 (last visited October 6, 2010). 25. While Facebook advertisers are able to engage in very targeted advertising, Facebook, through these and other representations, promises not to share any user's specific identity or personal information with any advertisers. 26. Facebook requires its users to agree to this Privacy Policy upon registering with the site. As a user creates a Facebook account, Facebook presents hyperlinks with text requiring users to affirm that they "have read and agree to" Facebook's Terms of Use (a hyperlink to the document entitled Statement of Rights and Responsibilities) and Facebook's Privacy Policy. C. 27. Facebook Violates Its Privacy Policy In direct violation of its own Privacy Policy and of the representations quoted above, Facebook shares users' information with third-party advertisers without users' knowledge or consent. 28. When a Facebook user clicks on an advertisement posted on Facebook's website, Facebook sends a "Referrer Header" to the corresponding advertiser. The Referrer Header reveals the specific web page address the user was viewing prior to clicking the advertisement. Through the design of the Facebook website, Facebook's web page addresses, and Facebook's advertisement -6CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 system, Facebook has caused users' browsers to send Referrer Header transmissions that report the user ID or username of the user who clicked an ad, as well as the page the user was viewing just prior to clicking on the ad. 29. When a Facebook advertiser receives a Referrer Header reporting the user who clicked an ad, the advertiser can obtain substantial additional information about the user, such as the user's name, gender, picture, friends, networks, wall posts, photos, and more. The advertiser's staff can simply navigate to the user's profile to obtain this information. Alternatively, an advertiser can design software to automatically collect and store this data as to each user who clicks an ad. However the advertiser elects to obtain this information, Facebook does nothing to prevent the advertiser from using the information for whatever purpose the advertiser chooses. 30. Thus, Facebook advertisers are able to gain even more detailed user information: not just anonymous user demographics, but specific information about individual users including real name, gender, friends, interests, and more. Facebook's systems send this information to advertisers despite Facebook's Privacy Policy and its other representations as to users' privacy vis--vis advertisers. D. 31. The Scope and Duration of Facebook's Nonconsensual Transmissions On information and belief, Facebook began the affected transmissions no later than February 2010 when Facebook implemented a website "upgrade" that began to embed ever more detailed data within Referrer Headers. In particular, Facebook caused Referrer Headers to include not just the URL of a web page a person was viewing (e.g. a person viewing the profile of Facebook user John Doe) but also confirmation of the specific identify of the person viewing a web page (e.g. that it is John Doe himself who is viewing his own profile). Nor did Facebook limit its revelation of user identities to users viewing their own profiles. For example, if one Facebook user viewed another user's profile, the resulting Referrer Headers would report both the username or user ID of the person whose profile was viewed, and the username or user ID of the person viewing that profile (e.g., John Doe was viewing the profile of Jane Doe). Similar information was revealed as users browsed photos or used other Facebook functions. Clicking an ad in any of these circumstances -7CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 caused the advertiser to receive the entire web address of the page the user was visiting, including the user's Facebook username. 32. This unauthorized disclosure of a person's identity and what Facebook page they were viewing could have the effect of revealing to advertisers confidential and sometimes highly sensitive information, including a user's private interests. For example, if a Facebook user who was gay and struggling to come out of the closet was viewing the Facebook page of a gay support group, and then clicked on an ad, the advertiser would know the exact identity of that person, and that s/he was viewing the Facebook page of a gay support group just before navigating to their site. 33. These transmissions continued until the publication of a May 21, 2010 article in the Wall Street Journal2 and a May 21, 2010 posting to the website of Professor Benjamin Edelman of the Harvard Business School3 exposed Facebook's practices. Facebook's staff failed to reveal its practice during the three months in which its millions of users suffered these problems. According to the Wall Street Journal publication, after being contacted by the Journal, Facebook admitted that it had been passing data to ad companies that could allow those companies to tell if a particular user was clicking an ad. Facebook finally ceased the nonconsensual transmissions only after they were discovered by outsiders. E. 34. The Scope and Duration of Facebook's Nonconsensual Transmissions Software engineers are generally familiar with the risk of Referrer Header "leakage" of information companies intended to keep confidential and/or are obliged to keep confidential. 35. The HTTP Referrer function is a standard web browser function, provided by standard web browsers since the HTTP 1.0 specification in May 1996.4 The current version of the publicly-available HTTP specification, RFC 2616,5 provides for HTTP Referrer Headers in its provision 14.36.6 It is well known that if a site places confidential information, such as username or 2 http://online.wsj.com/article/SB10001424052748704513104575256701215465596.html. 3 http://www.benedelman.org/news/052010-1.html 4 http://www.w3.org/Protocols/rfc1945/rfc1945 5 http://www.w3.org/Protocols/rfc2616/rfc2616.html 6 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36 -8CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 user ID, in a URL, then the site risks releasing this information whenever a user clicks a link to leave the site, e.g. by clicking on an advertisement. Indeed, the HTTP specification specifically flags this risk; in section 15.1.3, the HTTP specification advises developers of substantially the same problem: "Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the REQUESTURI."7 36. Facebook's software engineers knew or should have known that private user information would be divulged as a result of Facebook's website re-design. Facebook was put on specific notice of the problem with their Referrer Headers when, in August 2009, Balachander Krishnamurthy and Craig E. Wills published an article titled, "On the Leakage of Personally Identifiable Information Via Online Social Networks."8 In this article, the authors detail the problem of Facebook and other sites sharing with advertisers information that the sites previously promised to protect. The authors specifically sent this article to Facebook. Facebook confirmed its knowledge of the Krishnamurthy et al. article in September 2009.9 VI. 37. CLASS ACTION ALLEGATIONS Plaintiff brings this action on behalf of himself and all other persons in the following similarly-situated class: all Facebook users in the United States who, at any time after May 28, 2006 clicked on a third-party advertisement displayed on Facebook.com (the "Class"). Excluded from the Class are Facebook, its officers and directors, legal representatives, successors or assigns, any entity in which Facebook has or had a controlling interest, the judge to whom this case is assigned and the judge's immediate family. 38. Every member of the proposed Class is a party to Facebook's Terms and Conditions and Privacy Policy as alleged herein. 7 http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3 8 http://conferences.sigcomm.org/sigcomm/2009/workshops/wosn/papers/p7.pdf. 9 http://www.mediapost.com/publications/index.cfm?fa=Articles.showArticle&art_aid=114344. -9CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 39. The Class is composed of numerous people, whose joinder in this action would be impracticable. The disposition of their claims through this class action will benefit Class members, the parties and the courts. Since 2006, Facebook has grown from millions of users to over 500 million users. Upon information and belief, there are millions of persons in the Class. 40. Upon information and belief, the identities and contact information of the individual members of the Class are available through Facebook's electronic records. 41. There is a well-defined community of interest in questions of law and fact affecting the Class. These questions of law and fact predominate over individual questions affecting individual Class members, including, but not limited to, the following: a. what and how personally-identifiable data and advertisement click information was transmitted to advertisers; b. whether Facebook violated its Terms of Service, Privacy Policy, and other representations to users by making its users' personal information and advertisement click information available to advertisers without authorization; c. whether any Class member knew or consented to Facebook's transmission of personally-identifiable data to advertisers; d. whether Class members are entitled to damages as a result of Facebook's conduct, and, if so, what is the measure of those damages; e. whether Facebook's conduct described herein violated the Electronic Communications Privacy Act, 18 U.S.C. 2510 et seq. (the "ECPA"); f. whether Facebook's conduct described herein Stored Communications Act, 18 U.S.C. 2701 et seq.(the "SCA"); g. whether Facebook's conduct described herein violated California's Unfair Competition Law (Cal. Bus. & Prof. Code 17200, et seq.); h. whether Facebook's conduct described herein violated California's Computer Crime Law (Cal. Penal Code 502); i. whether Facebook's conduct described herein violated the California Legal Remedies Act (Cal. Civ. Code 1750, et seq.); -10CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 50. 42. j. whether Facebook's conduct described herein constitutes a breach of contract; and k. whether Facebook was unjustly enriched as a result of its conduct described herein. Facebook engaged in a common course of conduct giving rise to the legal rights sought to be enforced by Class members. Similar or identical statutory and common law violations, business practices and injuries are involved. Individual questions, if any, pale by comparison to the numerous common questions that dominate. 43. The injuries sustained by members of the Class flow, in each instance, from a common nucleus of operative facts. In each case, Facebook caused or permitted unauthorized communications of private and personally identifying information to be delivered to third parties without adequate or any notice, consent or opportunity to opt out. 44. Given the similar nature of the Class members' claims and the absence of material differences in the statutes and common laws upon which the Class members' claims are based, a nationwide class will be easily managed by the Court and the parties. 45. Because of the relatively small size of the individual Class members' claims, no Class user could afford to seek legal redress on an individual basis. 46. Plaintiffs' claims are typical of those of the Class as all members of the Class are similarly affected by Facebook's uniform and actionable conduct as alleged herein. 47. Facebook has acted and failed to act on grounds generally applicable to Plaintiffs and the other members of the Class, requiring the Court's imposition of uniform relief to ensure compatible standards of conduct toward the members of the Class. 48. Plaintiffs will fairly and adequately protect the interests of the Class and have retained counsel competent and experienced in class action litigation. Plaintiffs have no interests antagonistic to, or in conflict with, the Class that Plaintiffs seek to represent. 49. in discovery. COUNT I (Violation of the Electronic Communications Privacy Act) Plaintiffs incorporate the foregoing allegations as if fully set forth herein. -11CONSOLIDATED CLASS ACTION COMPLAINT Plaintiffs reserve the right to revise the above class definition based on facts learned 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 51. The Electronic Communications Privacy Act, 18 U.S.C. 2510 et seq. (the "ECPA") broadly defines an "electronic communication" as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in party by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce..." 18 U.S.C. 2510(12). 52. Pursuant to the ECPA, Facebook operates an "electronic communications service" as defined in 18 U.S.C. 2510(15). Facebook provides its users with the ability to send or receive electronic communications to or from any of Facebook's millions of users and to or from third parties who are not Facebook users, such as advertisers. These electronic communications include, among other things, the ability for users to send and receive private messages, share photographs and video, and the ability to post messages on user profile pages that can be viewed by anyone with access to those profile pages. Facebook also provides its advertisers the ability to send electronic communications to Facebook users by placing targeted advertisements on Facebook.com, and allows Facebook users to receive those electronic communications and send electronic communications to advertisers by clicking on advertising banners. 53. The ECPA broadly defines the contents of a communication. Pursuant to the ECPA, "contents" of a communication, when used with respect to any wire, oral, or electronic communications, include any information concerning the substance, purport, or meaning of that communication. 18 U.S.C. 2510(8). "Contents," when used with respect to any wire or oral communication, includes any information concerning the identity of the parties to such communication or the existence, substance, purport, or meaning of that communication. The definition thus includes all aspects of the communication itself. No aspect, including the identity of the parties, the substance of the communication between them, or the fact of the communication itself, is excluded. The privacy of the communication to be protected is intended to be comprehensive. 54. The ECPA prevents an electronic communications service provider from intentionally divulging the contents of any communication while in transmission on that service to any person or entity other than an addressee or intended recipient of such communication. 18 U.S.C. 2511(3)(a). -12CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 55. Plaintiffs and Class members are "person[s] whose ... electronic communication[s] [are] disclosed... or intentionally used in violation of this chapter" within the meaning of 18 U.S.C. 2520(a). 56. By clicking on an advertisement banner displayed on Facebook.com, users are asking Facebook to send an electronic communication to the advertiser who supplied the ad. But pursuant to Facebook's Terms and Conditions and its Privacy Policy, users do not expect and do not consent to Facebook's disclosure of all contents of that communication. Facebook users expect that certain aspects of their communications concerning advertisers--namely their identities and what Facebook page they were viewing at the time they clicked an ad--will be configured by Facebook to be private. 57. The design of the Facebook website, Facebook's web page addresses, and Facebook's advertisement system is evidence of Facebook's conscious objective to divulge the identities of its users to advertisers. By divulging user identities and other user information to advertisers without user consent, Facebook intentionally violated 18 U.S.C. 2511(3)(a). Facebook intentionally disclosed user identities to advertisers to enhance its profitability and revenue through advertising. This disclosure was not necessary for the operation of Facebook's system or to protect Facebook's rights or property. 58. Each incident in which Facebook divulged personally identifiable information of a Facebook user is a separate and distinct violation of the ECPA. Plaintiffs and members of the Class therefore seek remedy as provided for by 18 U.S.C. 2520, including such preliminary and other equitable or declaratory relief as may be appropriate, damages consistent with subsection (c) of that section to be proven at trial, punitive damages to be proven at trial, and attorneys' fees and other litigation costs reasonably incurred. 59. Plaintiffs and the Class, pursuant to 18 U.S.C. 2520(2), are entitled to preliminary, equitable, and declaratory relief, in addition to statutory damages of the greater of $10,000 or $100 a day for each day of violation, actual and punitive damages, reasonable attorneys' fees, and Facebook's profits obtained from the violations described herein. -13CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 60. 61. COUNT II (Violations of the Stored Communications Act) Plaintiffs incorporate the foregoing allegations as if fully set forth herein. The Stored Communications Act of 1986 ("SCA") incorporates the ECPA's definition of an "electronic communication service." 18 U.S.C. 2711(1). As set forth above, Facebook is an electronic communications service provider within the meaning of the ECPA and is therefore also subject to the restrictions contained in the SCA governing electronic communications service providers. 62. The SCA also incorporates the ECPA's broad definition of "electronic communication" and "electronic storage." 18 U.S.C. 2711(1). Pursuant to the ECPA and SCA, "electronic storage" means any "temporary storage of a wire or electronic communication incidental to the electronic transmission thereof." 18 U.S.C. 2510(17)(A). This type of electronic storage includes communications in intermediate electronic storage that have not yet been delivered to their intended recipient. 63. Examples of communications held by Facebook in temporary storage pursuant to 18 U.S.C. 2510(17)(A) include private messages not yet received by the intended recipient and user requests to Facebook to visit advertiser websites. 64. The SCA prohibits any electronic communications service provider from divulging to any person or entity the contents of a communication while in electronic storage by that service. 18 U.S.C. 2702(a)(1). 65. When a Facebook user clicks on an ad, the user is asking Facebook to send an electronic communication to that advertiser allowing the user to view the advertiser's website. By clicking an ad, the Facebook user also tells Facebook, via an electronic communication, who the user is, what Facebook page the user is viewing, and where the user wants to go. This information is held in temporary storage by Facebook pending the delivery of the user's request to the advertiser website. By divulging to advertisers the user's identity and what Facebook page they were viewing just prior to leaving Facebook.com, Facebook violated 18 U.S.C. 2702(a)(1). 66. The design of the Facebook website, Facebook's web page addresses, and Facebook's advertisement system is evidence of Facebook's knowledge of and intent to divulge the private -14CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 contents of its users' electronic communications without user consent, in violation of 18 U.S.C. 2702(1)(a). Facebook intentionally disclosed user identities and other information to advertisers to enhance its profitability and revenue through advertising. The disclosures were not necessary for the operation of Facebook's system or to protect Facebook's rights or property. 67. The SCA definition of "electronic storage" also includes "storage of [a wire or electronic] communication by an electronic communication service for purposes of backup protection of such communication." 18 U.S.C. 2510(17)(B). The information that Facebook users send via electronic communications to Facebook to be displayed in user profiles--such as name, gender, pictures, friends, religious, political and sexual preferences, wall posts and more--is electronically stored by Facebook for backup purposes. All of the foregoing user information, once posted, remains available for viewing and re-access at a later time by the user and other persons authorized by the user to access that information. This storage is one of the main services that Facebook provides to its users. 68. Because Facebook thus operates as a "virtual filing cabinet" for its users, allowing them to store and re-access at a later time their photos, messages, wall posts and more, Facebook is also a "remote computing service" provider pursuant to 18 U.S.C. 2711(2). 69. The SCA, at 18 U.S.C. 2702(a)(2), provides that "a person or entity providing an remote communication service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carrier or maintained on that service (A) on behalf of, and received by means of electronic transmission...a subscriber or customer of such service; (B) solely for the purpose of providing storage...to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing." 70. As a result of Facebook's disclosure of user identities, Facebook gives unauthorized access to and thereby divulges electronically-stored information to advertisers about the particular user who clicked an ad. With the user name that Facebook provides them, advertisers can navigate to user profiles and see a user's stored electronic communications, including Facebook names, gender, pictures, friends, networks, wall posts, photos, and more. Because Facebook is both an -15CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 electronic communication service provider and a remote computing service provider, Facebook's disclosure of this information to advertisers is in violation of both 18 U.S.C. 2702(a)(1) and (2). As set forth above, Facebook's disclosures were knowing and intentional and designed to enhance its profitability and revenue through advertising. The disclosures were not necessary for the operation of Facebook's system or to protect Facebook's rights or property. 71. Facebook intentionally and knowingly divulged confidential and private information relating to Plaintiffs and Class member' stored electronic communications without the consent, knowledge or authorization of Plaintiffs and members of the Class. 72. Plaintiffs and Class members are "person[s] aggrieved by [a] violation of [the SCA] in which the conduct constituting the violation is engaged in with a knowing or intentional state or mind..." within the meaning of 18 U.S.C. 2707(a). 73. Each incident in which Facebook provided personally identifiable information of a Facebook user, thereby divulging that user's stored communications to a third party, is a separate and distinct violation of the SCA, subject to the remedies provided under the SCA, and specifically pursuant to 18 U .S.C. 2707(a). 74. Plaintiffs and users of the Class therefore seek remedy as provided for by 18 U.S.C. 2707(b) and (c), including such preliminary and other equitable or declaratory relief as may be appropriate, damages consistent with subsection (c) of that section to be proven at trial, punitive damages to be proven at trial, and attorneys' fee and other litigation costs reasonably incurred. 75. Plaintiffs and the Class, pursuant to 18 U.S.C. 2707(c), are entitled to preliminary, equitable, and declaratory relief, in addition to statutory damages of no less than $1,000 per violation, actual and punitive damages, reasonable attorneys' fees, and Facebook's profits obtained from the violations described herein. COUNT III (Violation of Cal. Bus. & Prof. Code 17200) 76. 77. Plaintiff incorporates the foregoing allegations as if fully set forth herein. California's Unfair Competition Law ("UCL"), Cal. Bus. & Prof. Code 17200, et seq., protects both consumers and competitors by promoting fair competition in commercial markets for goods and services. -16CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 78. The UCL prohibits any unlawful, unfair or fraudulent business act or practice. A business practice need only meet one of the three criteria to be considered unfair competition. An unlawful business practice is anything that can properly be called a business practice and that at the same time is forbidden by law. 79. As described herein, Facebook's nonconsensual disclosure of its users' personal information to third-party advertisers without their authorization is a violation of the UCL. 80. Facebook has violated the "unlawful" prong of the UCL in that Facebook's conduct violated the ECPA (18 U.S.C. 2510 et seq.), the SCA (18 U.S.C. 2701 et seq.), Consumer Legal Remedies Act (Cal. Civ. Code 1750 et seq.), and the California Computer Crime Law (Cal. Penal Code 502). 81. Facebook violated the fraudulent prong of the UCL by explicitly representing in its Privacy Policy and in subsequent public statements that it would not make users' personal information available to any third party without authorization. Facebook used those misrepresentations to induce users to submit their personally identifiable information to its website. Facebook then knowingly transmitted that information to third parties without its users' authorization. 82. Facebook violated the unfair prong of the UCL by gaining control over and divulging to third parties its users' PII without consent and under false pretenses. 83. Facebook's unfair or deceptive practices occurred primarily and substantially in California. Decisions concerning the retention and safeguarding the disclosure of user information were made in California, Facebook maintains all or a substantial part of its computer systems containing user information in California, and the disclosure of its users' information took place primarily and substantially in California. 84. Pursuant to Cal. Bus. & Prof. Code 17203, Plaintiffs seek an order of this Court permanently enjoining Facebook from continuing to engage in the unfair and unlawful conduct described herein. Plaintiffs seek an order requiring Facebook to (1) immediately cease the unlawful practices stated in this Complaint; and (2) awarding Plaintiffs and the Class reasonable costs and attorneys' fees pursuant to Cal. Code Civ. Proc. 1021.5. -17CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 COUNT IV (Violation of California's Computer Crime Law ("CCCL"), Cal. Penal Code 502) 85. 86. Plaintiffs incorporate the foregoing allegations as if fully set forth herein. Facebook knowingly accessed and without permission used any data, computer, computer system, or computer network in order to execute a scheme or artifice to deceive and/or to wrongfully control or obtain money, property, or data in violation of Cal. Penal Code 502(c)(1). Facebook did so by accessing and sharing with advertisers the personal information of Plaintiffs and Class members in order to deceive Facebook users and/or to wrongfully obtain money from advertisers and more data from Facebook users. 87. Facebook knowingly accessed and without permission took, copied, or made use of Plaintiffs' and Class members' personal information in violation of 502(c)(2). 88. Facebook knowingly and without permission used or caused to be used computer services by impermissibly accessing, collecting, and transmitting Plaintiffs' and Class members' personal information in violation of 502(c)(3). 89. Facebook knowingly and without permission provided or assisted in providing a means of accessing a computer, computer system, or computer network by creating a system that allowed advertisers to impermissibly access, collect, and transmit Plaintiffs' and Class members' personal information in violation of 502(c)(6). 90. Facebook knowingly and without permission accessed or caused to be accessed Plaintiffs' and Class members' computers and/or computer networks by impermissibly divulging Plaintiffs' and Class members' personal information to advertisers in violation of 502(c)(7). 91. Facebook knowingly and without permission introduced a computer contaminant, as defined in 502(b)(10), by introducing computer instructions designed to record or transmit to advertisers Plaintiffs' and the Class's personally-identifiable information on Facebook's computer networks without the intent or permission of Plaintiffs or the Class in violation of 502(c)(8). 92. As a direct and proximate result of Facebook's violation of 502, Facebook caused loss to Plaintiffs and the Class members in an amount to be proven at trial. Plaintiffs and the Class are entitled to the recovery of attorneys' fees pursuant to 502(e). -18CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 93. Plaintiffs and Class members have also suffered irreparable injury as a result of Facebook's unlawful conduct, including the collection and sharing of their personal information. Additionally, because the stolen information cannot be returned, the harm from the security breach is ongoing and compounding. Accordingly, Plaintiffs and the Class have no adequate remedy at law, entitling them to injunctive relief. COUNT V (Violation of the Consumers Legal Remedies Act, Cal. Civ. Code 1750, et seq.) 94. 95. Plaintiffs incorporate the foregoing allegations as if fully set forth herein. The Consumers Legal Remedies Act prohibits the act, use or employment by any person of any deception, fraud, false pretense, false promise, misrepresentation, concealment, suppression or omission of any material fact with intent that others rely upon such act in connection with the sale or advertisement of any merchandise whether or not any person has in fact been misled, deceived or damaged thereby. 96. As described within, Facebook has engaged in deceptive practices, unlawful methods of competition, and/or unfair acts as defined by Cal. Civ. Code 1750, et seq., to the detriment of Plaintiffs and the Class. 97. Facebook, acting with knowledge, intentionally and unlawfully brought harm upon Plaintiffs and the Class by deceptively inducing Plaintiffs and the Class to register with Facebook, supply Facebook with personal and private information, and click on advertisements based upon deceptive and misleading representations that it would not disclose their personal or private information to third-parties without authorization. Specifically, Facebook violated Cal. Civ. Code 1750 in at least the following respects: a. In violation of 1770(a)(5) by representing that goods or services have characteristics and benefits that they do not have; b. In violation of 1770(a)(14) by representing that a transaction confers or involves rights, remedies, or obligations which it does not have or involve, or which are prohibited by law; and -19CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 100. 101. 98. c. In violation of 1770(a)(16) by representing that the subject of a transaction has been supplied in accordance with a previous representation when it has not. Plaintiffs and the Class have suffered harm as a direct and proximate result of the Facebook's violations of law and wrongful conduct. 99. Under Cal. Civ. Code 1780(a) & (b), Plaintiffs and the Class seek injunctive relief requiring Facebook to cease and desist the illegal conduct described herein, and any other appropriate remedy for violations of the CLRA. For the sake of clarity, Plaintiffs explicitly disclaim any claim for damages under the CLRA at this time. COUNT VI (Breach of Contract) Plaintiffs incorporate the foregoing allegations as if fully set forth herein. In order to register for and use its social-networking website, Facebook required that Plaintiffs and the Class affirmatively assent to its Terms and Conditions and Privacy Policy (the "Agreement"). 102. The Agreement's provisions constitute a valid and enforceable contract between Plaintiffs and the Class on the one hand, and Facebook on the other. 103. Under the Agreement, Plaintiffs and the Class transmitted sensitive personally- identifiable information to Facebook in exchange for Facebook's promise that it would not share that personal information with third parties, including but not limited to advertisers, without their authorization. 104. Facebook users pay for Facebook's services with their personal information. Facebook's users exchange something valuable--access to their personal information--for Facebook's services and Facebook's promise to safeguard that personal information. In particular, Facebook promises that any personal information submitted by its users will only be disclosed to advertisers in the specific ways and circumstances set out in Facebook's privacy policy and with user consent. 105. Facebook collects revenues in large part because the personal information submitted by its users increases the value of Facebook's advertising services. Because Facebook has access to -20CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 highly personal information about its users, Facebook's advertising platform is particularly attractive to advertisers and marketers who can and do use that personal information to deliver highly-targeted ads to Facebook's users. In this regard, Facebook's services are vehicles to acquire personal information about consumers in order to sell that personal information to advertisers. 106. If not for the inherent and identifiable value of access to personal consumer information, Facebook would be much less profitable. Thus, its promises concerning the safeguarding of the personal information Facebook receives from its users in exchange for its services are vital to its business and its users. 107. Facebook's practices--providing services to consumers and profiting from the sale of personal information to advertisers--have helped Facebook achieve a valuation exceeding $30 billion. 108. Facebook materially breached the terms of the Agreement through its unlawful conduct alleged herein, including its disclosure of Plaintiffs' and the Class's personal information to its advertiser partners. 109. As a result of Facebook's misconduct and breach of the Agreement described herein, Plaintiffs and the Class suffered injury. COUNT VII (Violation of Cal. Civ. Code 1572 & 1573) 110. 111. Plaintiffs incorporate the foregoing allegations as if fully set forth herein. Cal. Civ. Code 1572 provides in relevant part that actual fraud exists when a party to a contract suppresses "that which is true, by one having knowledge or belief of the fact" "with intent to deceive another party thereto, or to induce him to enter into the contract." 112. Cal. Civ. Code 1573 provides in relevant part that constructive fraud exists "[i]n any such act or omission as the law specially declares to be fraudulent, without respect to actual fraud." 113. Facebook violated 1572 through its repeated and explicit false assertions that it would not share the identity of its users with its advertisers without consent, as described herein. Facebook further violated this section by suppressing its knowledge of this fact. -21CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 relief: 114. Additionally and/or alternatively, Facebook violated 1573 by breaching its duty to protect its users' identities from its advertisers and gaining an advantage in doing so, by misleading its users to their prejudice, as described herein. 115. Plaintiffs, on behalf of themselves and the Class, seek damages from Facebook, including but not limited to disgorgement of all proceeds Facebook obtained from its unlawful business practices. COUNT VIII (Unjust Enrichment (In the Alternative)) 116. 117. Plaintiffs incorporate the foregoing allegations as if fully set forth herein. Plaintiffs and the Class have conferred a benefit upon Facebook. Facebook has received and retained money belonging to Plaintiffs and the Class as a result of sharing its users' personal information with its advertisers without their consent, as described herein. 118. 119. Facebook appreciates or has knowledge of said benefit. Under principles of equity and good conscience, Facebook should not be permitted to retain money belonging to Plaintiffs and the Class that it unjustly received as a result of its actions. 120. 121. Plaintiffs and the Class have suffered loss as a direct result of Facebook's conduct. Plaintiffs, on their own behalf and on behalf of the Class, seek the imposition of a constructive trust on and restitution of the proceeds of Facebook received as a result of its conduct described herein, as well as attorney's fees and costs pursuant to Cal. Civ. Proc. Code 1021.5. PRAYER FOR RELIEF WHEREFORE, Plaintiffs, individually and on behalf of the Class, pray for the following A. Certify this case as a class action on behalf of the Class defined above, appoint Plaintiffs Gould and Robertson as class representatives, and appoint their counsel as class cocounsel; B. Declare that Facebook's actions, as described herein, violate the ECPA (18 U.S.C. 2510 et seq.), the SCA (18 U.S.C. 2701 et seq.), California Unfair Competition Law (Cal. Bus. & Prof. Code 17200, et seq.), the Computer Crime Law (Cal. Penal Code 502), and the Consumer -22CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Legal Remedies Act (Cal. Bus. & Prof. Code 1750), and constitute breach of contract, fraud, and unjust enrichment; C. Awarding injunctive and other equitable relief as is necessary to protect the interests of Plaintiffs and the Class, including, inter alia, an order prohibiting Facebook from engaging in the wrongful and unlawful acts described herein; D. Disgorge Facebook of all revenue earned from displaying third-party advertising on Facebook.com during the class period; E. Awarding damages, including statutory damages where applicable, to Plaintiffs and the Class in an amount to be determined at trial; F. Awarding all economic, monetary, actual, consequential, and compensatory damages caused Facebook's conduct, and if its conduct is proved willful, award Plaintiffs and the Class exemplary damages; G. Award restitution against Facebook for all money to which Plaintiffs and the Class are entitled in equity; H. fees; I. allowable; and J. Awarding such other and further relief as equity and justice may require. Respectfully submitted, NASSIRI & JUNG LLP /s/ Kassra P. Nassiri______ Kassra P. Nassiri Attorneys for Plaintiffs and the Putative Class Dated: October 11, 2010 Respectfully submitted, EDELSON MCGUIRE, LLP /s/ Michael J. Aschenbrener_ Michael J. Aschenbrener Attorneys for Plaintiffs and the Putative Class Awarding Plaintiffs and the Class pre- and post-judgment interest, to the extent Awarding Plaintiffs and the Class their reasonable litigation expenses and attorneys' Dated: October 11, 2010 -23CONSOLIDATED CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Dated: October 11, 2010 Dated: October 11, 2010 JURY TRIAL DEMANDED Plaintiffs hereby demand a trial by jury. Respectfully submitted, NASSIRI & JUNG LLP /s/ Kassra P. Nassiri______ Kassra P. Nassiri Attorneys for Plaintiffs and the Putative Class Respectfully submitted, EDELSON MCGUIRE, LLP /s/ Michael J. Aschenbrener_ Michael J. Aschenbrener Attorneys for Plaintiffs and the Putative Class -24CONSOLIDATED CLASS ACTION COMPLAINT

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?